If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Why do we Pen Test?

Hi all,

I've been away from AO for a while, busy with some stuff going on lately. I have a question that fits best here, so I'm back.

Here's the situation. Recently, my organization is questioning the value of Penetration Testing. It turns out the people asking didn't really know what it was to begin with. I am in the process of explaining it to these folks now. However, the questions keeps coming up; "What is the value added?" "Why should we continue?" "Who should be doing it?"

So I have a few questions to the mighty AO:

Why do you pen test?
Why don't you pen test?
What is the value? Who (what functions) should be doing the testing?

Additionally for the member that will slam me for posting a reduntant topic, I am looking for some fresh info. Please, no links to other threads.

Any input would be great! TIA!

Thanks,
-Deeboe

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War

Why do you pen test?
Why don't you pen test?
What is the value?
Who (what functions) should be doing the testing?

1.) To keep my system 'secure' and up-to-date at all times. Making sure I can find no vulnerabilites to exploit on my machine. Also, making sure I cannot exploit the vulnerabilites that I happen to find. Execute the payload, install a kernel rootkit and a user rootkit, etc...

2.)

3.) Value? Is to learn. I figure if I can hack my network/box(s) so can anyone else. I want to Keep my system from being breached. Worse case scenrio, I figure even if they do get in ALL DATA on my system is using encryption EFS provided by NTFS. Plus its fun.

Why do you pen test?
Why don't you pen test?
What is the value?
Who (what functions) should be doing the testing?

1) Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.

2) N/A

3) See #1 and also management is engaged in the due care concept. If your managers don't perform this cornerstone security task and by chance data is lost from your organization, your management chain can be nailed for not using due care. See the laws on this via google. I'm sure your bosses don't like the idea of visiting the salad man in prison.

4) We use a tier approach to this. First, we ask the vendor for a list of known issues (if they will give it up). Second, we have a third party, BAE is my choice, run the tests. Then we have internal folks, me included, take a crack at it. In the end, we all compare notes. This yields the most effective results but of course costs the most.

--TH13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

The value difference in Internal/External Audits (your own employees or an outside company) and Internal/External Audits (Let then come at the network from outside or from inside)..

I'm not a big fan of having internal employees audit a network... but there is a big IF to that.... if they are the network department... If you have a security group that is in no way, shape or form related to the network department... then it's a great idea... but having the network department do the pentest (I've known companies that do this) is useless... Obviously they are going to secure the systems as much as they can and as best they can... so they aren't going to get into them...

I like TH13's method of the outside company and an internal group (which I believe in his case is seperate from the network group... corect TH13? )...

Now the other one.. Do you get them to internally or externally audit your network... So many places go external only... These days more threats come from internal sources...

The it comes down to what do you need.

Some pen test companies look for one avenue into the network and then walk away..
Others will look for every avenue they can uncover..
Some will help you with policy review.. others won't...
Do they require network topology and policy before they'll start
etc..

You have to really know what you want and why you want it before you get started... especially when everyone these days thinks they can turn around and do pen testing... It's humourous to watch the Security Focus Pen Test mailing list... everyone second post is... I'm doing a pen test for company X what should I do... that's the completely wrong approach... You don't just do a pen test... I feel so for the companies hiring these people... Then again... With places like VulnerabilityAssessment.co.uk releasing the Penetration Testing Framework... only bad things are to come... that framework is the biggest PoS I've ever seen...

Peace,
HT

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Originally posted here by HTRegz I'm not a big fan of having internal employees audit a network... but there is a big IF to that.... if they are the network department... If you have a security group that is in no way, shape or form related to the network department... then it's a great idea... but having the network department do the pentest (I've known companies that do this) is useless... Obviously they are going to secure the systems as much as they can and as best they can... so they aren't going to get into them...

Do you still feel this way if it is another group within the company doing the Pen Test? For example, if the auditing department worked as an independant function of Finance instead of IT?

Good discussion points so far. Keep 'em coming! Thanks!

-Deeboe

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War

Originally posted here by Deeboe Do you still feel this way if it is another group within the company doing the Pen Test? For example, if the auditing department worked as an independant function of Finance instead of IT?

Good discussion points so far. Keep 'em coming! Thanks!

-Deeboe

I believe I said that right in the quote... If you have a seperate and distinct group then it's fine... but a lot of places will have the same group that deploys and configures the network also do it's audits and that doesn't work overly well..

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".